Adnan was the first to answer and also the one to post statistics in a comment. He was IMHO correct in pointing out the futility of excluding whole clusters of countries allied to the US (yet the country I alluded to may or may not have been the States, there are fewer allies for other surveillance powers which kind of invalidates his point).

user239558 stressed that Tor is biased towards highest bandwidth nodes, and emphasized the need to tailor torrc to the assumed threat. Was thinner on the details.

Thomas provided a more rounded (IMHO) perspective, including extra reasons for governments to control exit nodes. That's why I chose his answer to be "correct".

The fact that these explanations were necessary convinces me that the close-voters were right and that these three answers were primarily opinion-based. I suppose that it is not reasonable to expect posters to conduct their own research and to quantify Tor's degree of vulnerability and to evaluate various mitigation strategies. It is increasingly clear that second-generation onion routing is not really up to the task of countering dedicated, well-funded surveillance efforts. Maybe when there are hundreds of thousands ad-hoc meshed (wireless) network nodes bypassing existing infrastructure truly anonymous networking becomes a real possibility.

Many good questions generate some degree of opinion based on expert experience, but answers to this question will tend to be almost entirely based on opinions, rather than facts, references, or specific expertise.
If this question can be reworded to fit the rules in the help center, please edit the question.

5

There is a west nauru? The country is only 21 square km big o.O
–
Lucas 'Paul' KauffmanAug 2 '13 at 11:21

3 Answers
3

Nauru is a sad example of what happens when a country's economy is based on a non-renewable mineral resource: when the resource is exhausted, the people become poor. All of them. Nauru sports an unemployment rate of about 90% (!) and survives only by being a charity case for Australia, who injects millions of dollars per year in order to avoid mass starvation.

I strongly doubt that Nauru's government would have the resources of maintaining a large-scale spy program. Of, for that matter, I doubt they could pay for reasonable network bandwidth at all. Therefore I suppose you used "West Nauru" as a generic name for a fictitious country.

Back to the point:Tor can provide anonymity, with a high probability of success, only if not all nodes are hostile. The anonymity becomes void if both the entry node and the exit node are malicious and collaborate with each other (because they can match the entry and the exit based on the data size and its time stamps). Not using known "evil" nodes looks like a good idea... but you must also have sufficiently many nodes to choose from, too. There is a "mass effect": an "evil node" is a node which inspects data in transit and tries to make correlations. A node can be evil by virtue of being operated by The Adversary (whoever your own Demon may be), but also if it is honest but under close surveillance.

So the robustness of the anonymity provided by Tor relies, in a large part, on the fact that your computer will choose a random path through a lot of nodes, geographically spread out, and under the assumption that your enemy will not be able to control all of them. Pruning out nodes may help your enemy by simply reducing the number of nodes he has to take care of.

Therefore, removing bad exit nodes from the list of exit nodes you will use is a good idea only if the exit nodes are indeed "bad" without any doubt. But how can you really know that ?

(Also, governmental agencies are prone to run exit nodes not to break the anonymity, but because it is a place where a lot for shady traffic will occur. They will then provide a good, reliable service.)

In my opinion, this is an opinion-based question. Why? Because it does make sense to filter rouge exit nodes, but how do you know which ones are and which ones aren't? Where do you draw the line in your approach?

Excluding exit nodes by country means that you'll eventually want to exclude all U.S. nodes (especially after all of latest NSA news). Then you'd want to exclude other NSA-friendly countries like Australiaand New Zealand. After that, it only makes sense to exclude other U.S. allies, like the UK, Saudi Arabia, Jordan, Israel, and NATO countries. That will shave off more than 90% of the exit nodes in the world. You'll end up with a handful of exit nodes, now guess what will happen then?

Yes, you've probably guessed right. Excluding nodes based on country to avoid surveillance will lead to fewer and fewer frequently used nodes, and thus easier surveillance.

Are there any quantitative studies out there that put lower limits on the number of exit nodes (even with the most simple assumptions)?
–
Deer HunterAug 2 '13 at 12:05

3

@DeerHunter I'm not aware of any studies about that. But if you think about it, it only makes sense. There are currently 917 exit nodes, taking out highly-connected countries like the U.S. and its allies means you'll end up with something like 20-30 (50 max) exit nodes. Fewer nodes means fewer people to force into giving up connection logs, or force to setup special surveillance applications, or even compromise using using state-level 0-day exploits.
–
Adnan - AdiAug 2 '13 at 12:14

which suggests that independent exit nodes are high-profile, high value targets. Wonder if there are any statistics on the number of detected attacks on them.
–
Deer HunterAug 2 '13 at 16:28

Yes absolutely. Or no. The notion that selecting random nodes is the best strategy in Tor is wrong.

You should encode as much knowledge you have, and your specific threat model, into your torrc file.

If you have become aware of the large arithmometers West Nauru has installed that is monitoring and correlating Tor traffic, you should encode this into your torrc file.

My personal view is that large arithmometers and correlation attacks easily break Tor, and that is especially true with the default bandwidth weighted random node selection. I am biased though.

What you should consider is your threat model. West Nauru has repeatedly stressed that they only run these systems to fend off attacks on their republic, mostly by terrorists with bases on the neighbouring Banaba Island in the Kiribati.

So the question is whether you are more or less safe using their exit node than the average node where you will have an average probability of being intercepted by criminals.